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IN THE CLAIMS 

For the convenience of the Examiner, all pending claims of the Application are 
reproduced below. 

1 . (Currently Amended) A method for using a binary state machine for 
processing a data stream in an intrusion detection system, the method comprising: 

maintaining a state table, the state table indexed such that inputs comprising a current 
state and a current character yield an output of a new state, the new state related to an 
indication of an attack on a computer network; 

maintaining the current state; 

receiving an input stream comprising , at a stat e machin e of an intrusion d e t e ction 
device, an input str e am d e stined for a first network d e vice to bo protect e d by the intrusion 
d e t e ction d e vic e , the input str e am rec e ived at th e stat e machin e prior to r e aching th e first 
network d e vic e and comprising a first plurality of characters, a second plurality of characters, 
and at least one variable character between the first plurality and the second plurality of 
characters, wherein the first plurality and the second plurality of characters together 
constitute a REGEX signature a plurality of characters, wh e r e in th e first n e twork d e vic e is 
op e rabl e to e x e cut e a program ; 

processing the first plurality of characters using the state table; 

after processing the first plurality of characters, for each one of the at least one 
variable character: 

selecting the variable character as the current character; 

generating a state for the current character that is independent of the current 

character; 

after generating the state, selecting a first character of the second plurality of 
characters input stream as the current character; and 

after selecting the first character, comparing the current character and the current state 
to the state table to generate a new state. 

2. (Original) The method of Claim 1, further comprising initializing the current 
state to an initial state. 

DAL01 :808301. 1 



ATTORNEY DOCKET PATENT 
062891.0324 09/415,293 

3 

3. (Currently Amended) The method of Claim 1, further comprising: 
setting the current state equal to the new state; 

selecting a next character of the second plurality of characters as the current 
character, the next character appearing subsequent to the first characte r in th e input str e am ; 
and 

repeating the comparing step. 

4. (Original) The method of Claim 1 , further comprising recognizing the new 
state as indicative of an attack upon the computer network. 

5. (Original) The method of Claim 5, further comprising sounding an alarm. 

6. (Original) The method of Claim 1, further comprising generating the state 
table from a REGEX command. 

7. (Currently Amended) A system for use as a binary state machine for 
processing a data stream in an intrusion detection system, the system comprising: 

a state table indexed such that inputs comprising a current state and a current 
character yield an output of a new state, the new state related to an attack on a computer 
network; and 

a state machine communicatively coupled to the state table, the state machine 

operable to: 

maintain the current state; 

receive an input stream , the input stream comprising a first plurality of 
characters, a second plurality of characters, and at least one variable character between the 
first plurality and the second plurality of characters, wherein the first plurality and the second 
plurality of characters together constitute a REGEX signature d e stin e d for a first n e twork 
d e vic e to b e protect e d by th e intrusion d e t e ction syst e m, th e input str e am rec e iv e d prior to 
reaching the first network device and comprising a plurality of charact e rs, wh e r e in th e first 
n e twork d e vice is op e rabl e to e x e cut e a program 

process the first plurality of characters using the state table; 

after processing the first plurality of characters, for each one of the at 
least one variable character: 
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select the variable character as the current character; 
generate a state for the current character that is independent of 

the current character; 

after generating the state, select a first character of the second plurality 
of characters input stream as the current character; and 

after selecting the first character, compare the current character and the 
current state to the state table to generate a new state. 



8. (Original) The system of Claim 7 further comprising a computer readable 
medium, wherein the state table is stored upon the computer readable medium. 

9. (Original) The system of Claim 8, wherein the state machine comprises 
software code stored upon the computer readable medium, the software code further operable 
to be executed by a computer processor. 



10. (Original) The system of Claim 7, wherein the state machine is further 
operable to initialize the current state to an initial state. 



1 1 . (Currently Amended) The system of Claim 7, wherein the state machine is 
further operable to: 

set the current state equal to the new state; 

select a next character of the second plurality of characters as the current 
character, the next character appearing subsequent to the first character in the input stream ; 
and 

repeat the comparing step. 

12. (Original) The system of Claim 7, wherein the state machine is further 
operable to recognizing the new state as indicative of an attack upon the computer network. 

13. (Currently Amended) A system for use as an intrusion detection system, the 
system comprising: 

a computer readable medium; 
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a network interface for receiving an input stream comprising a first plurality 
of characters, a second plurality of characters, and at least one variable character between the 
first plurality and the second plurality of characters, wherein the first plurality and the second 
plurality of characters together constitute a REGEX signature d e stin e d for a first n e twork 
d e vic e to be prot e ct e d by th e intrusion d e t e ction syst e m, th e n e twork int e rfac e op e rabl e to 
rec e ive the input stream befor e th e input stream reaches tho first network device, the input 
str e am comprising a plurality of characters transmitt e d by a s e cond n e twork d e vic e , wh e r e in 
th e first n e twork device is op e rabl e to e x e cut e a program ; 

a processor communicatively coupled to the computer readable medium and 
the network interface; 

a state table stored upon the computer readable medium, the state table 
indexed such that inputs comprising a current state and a current character yield an output of 
a new state, the new state related to an attack on a computer network; and 

a state machine comprising instructions stored upon the computer readable 
medium and executable by the processor, the state machine communicatively coupled to the 
state table, the state machine operable to: 

maintain the current state; 

process the first plurality of characters using the state table; 
after processing the first plurality of characters, for each one of the at 
least one variable character: 

select the variable character as the current character; 
generate a state for the current character that is independent of 

the current character; 

after generating the state, select a first character of the second plurality 
of characters input str e am as the current character; and 

after selecting the first character, compare the current character and the 
current state to the state table to generate a new state. 

14. (Currently Amended) A logic for using a binary state machine for processing 
a data stream in an intrusion detection system, the logic embodied in a computer-readable 
medium and operable to: 
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maintain a state table, the state table indexed such that inputs comprising a current 
state and a current character yield an output of a new state, the new state related to an 
indication of an attack on a computer network; 

maintain the current state; 

receive an input stream comprising a first plurality of characters, a second plurality of 
characters, and at least one variable character between the first plurality and the second 
plurality of characters, wherein the first plurality and the second plurality of characters 
together constitute a REGEX signature an input str e am d e stin e d for a first network d e vic e to 
b e protected by tho intrusion d e t e ction syst e m, th e input str e am r e c e iv e d at th e logic prior to 
r e aching th e first n e twork d e vic e and comprising a plurality of characters, wh e r e in the first 
network d e vic e is op e rabl e to make a d e cision according to a program 

process the first plurality of characters using the state table; 

after processing the first plurality of characters, for each one of the at least one 
variable character: 

select the variable character as the current character; 

generate a state for the current character that is independent of the current 

character; 

after generating the state, select a first character of the second plurality of characters 
input str e am as the current character; and 

after selecting the first character, compare the current character and the current state 
to the state table to generate a new state. 

15. (Previously Presented) The logic of Claim 14, further operable to initialize 
the current state to an initial state. 

16. (Currently Amended) The logic of Claim 14, further operable to: 
set the current state equal to the new state; 

select a next character of the second plurality of characters as the current 
character, the next character appearing subsequent to the first character in the input stream ; 
and 

repeat the comparing step. 
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17. (Previously Presented) The logic of Claim 14, further operable to recognize 
the new state as indicative of an attack upon the computer network. 

18. (Canceled). 

19. (Previously Presented) The logic of Claim 14, further operable to generate the 
state table from a REGEX command. 

20. (Currently Amended) An intrusion detection system, comprising: 
means for maintaining a state table, the state table indexed such that inputs 

comprising a current state and a current character yield an output of a new state, the new state 
related to an indication of an attack on a computer network; 
means for maintaining the current state; 

means for receiving an input stream comprising a first plurality of characters, a 
second plurality of characters, and at least one variable character between the first plurality 
and the second plurality of characters, wherein the first plurality and the second plurality of 
characters together constitute a REGEX signature d e stin e d for a first n e twork d e vic e to b e 
prot e ct e d by th e intrusion d e t e ction sy s t e m, th e input str e am r e c e iv e d at th e m e ans for 
r e ceiving th e input stream prior to reaching the first network d e vic e and comprising a 
plurality of charact e rs, wh e r e in th e first n e twork d e vic e is op e rabl e to e x e cut e a program ; 

means for processing the first plurality of characters using the state table; 

means for selecting, after the first plurality of characters has been processed, each one 
of the at least one variable character as the current character and generating, for each selected 
variable character, a state for the current character that is independent of the current 
character; 

means for selecting a first character of the second plurality of characters input stream 
as the current character; and 

means for comparing the current character and the current state to the state table to 
generate a new state; and 

means for transmitting the copy of the input stream to the first network device if an 
attack on the computer network is not detected. 
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2 1 . (Currently Amended) The method of Claim 1 , and further comprising: 
setting the current state equal to the new state; 

selecting a next character of the second plurality of characters as the current 
character, the next character appearing subsequent to the first characte r in th e input str e am ; 

repeating the comparing step; and 

wherein each character in the input stream is selected only once th e first character and 
th e n e xt charact e r are e ach s e l e ct e d and compar e d only onc e. 
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